Jump to content

Escaping potential errors when passing variables thru URL

127.0.0.1

By 127.0.0.1
in PHP Coding Help

 Share

Recommended Posts

127.0.0.1 Newbie

127.0.0.1

Posted
Posted
Hello.

Suppose I am passing variables through a URL like this [b]http://www.mysite.com/index.php?article=48338[/b]. The article variable then in turn is used to make a SQL query. Obviously, any person can tamper with that parameter, changing the variable.

Currently I am escaping potential erroneous variables with the following

[code=php:0]
// Check if variable exists and is not empty
if (isset($_GET['article']) && !empty($_GET['article']))
{
    // Check to make sure the only characters passed are digits
    if (ereg('[^0-9]', $_GET['article']))
          $flag_error = True;
    else
          doWhateverFunction ($_GET['article']);
}
[/code]

My question is, am I doing sufficient checks? Is there a better way? Could I compact the code? I tried to merge both if-statements, however it failed to work for me.
Link to comment
Share on other sites
simcoweb Advanced Member

simcoweb

Posted
Posted
Looks good to me. But i'm not sure if that's really guarding against anything. I'm assuming if they used something other than digits they'd get a 404 error. Or, a page id that doesn't exist would do the same. Might be wise to include some custom 404 page as another deterrent as well as protection against them looking for an open directory (no index.xxx page).

Someone else asked a similar question in how to make sure the $_GET was populated by an actual URL passing it. You might search a bit in this forum for that topic.
Link to comment
Share on other sites
Orio Member

Orio

Posted
Posted
It's pretty good.
If you want to be sure, use mysql_real_escape_string() on every variable that is entered to the query. Dont forget to use stripslahses() if magic_quotes is set.
See more information in the manual, in mysql_real_escape_string().
(I am assuming you are using Mysql)

Orio.
Link to comment
Share on other sites
127.0.0.1 Newbie

127.0.0.1

Posted
  • Author
Posted
Thanks guys.

Another question though,

I am using an [tt].htaccess[/tt] file to create friendly URLs.

[code]
ErrorDocument 404 /_errors/404.shtml

RewriteEngine on
RewriteRule ^article/(.*).html /index.php?article=$1

[/code]

I managed to "break" my page by putting [tt]%2F[/tt] at the end of the variable parameter: www.mysite.com/article/581%2F.html. Which I do not understand because if I access the equivalent erroneous URL with a slash rather than [tt]%2F[/tt] www.mysite.com/article/581/.html, I receive the proper error message from my script telling me the article could not be found.

This has a peculiar result because not only does it break the script, but it renders this message

[quote]
Not Found
The requested URL /article/581/.html was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. [/quote]

Which is odd because I have defined the 404 ErrorDocument and it works with other 404 errors.

Any advice as to how I can remedy these issues?
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.